Skip to content

OpenClaw's system.run allowlist bypass via shell line-continuation command substitution

Moderate severity GitHub Reviewed Published Feb 23, 2026 in openclaw/openclaw • Updated Mar 19, 2026

Package

npm openclaw (npm)

Affected versions

< 2026.2.22

Patched versions

2026.2.22

Description

Summary

In OpenClaw system.run allowlist mode, shell-wrapper analysis could be bypassed by splitting command substitution as $\\ + newline + ( inside double quotes. Analysis treated the payload as allowlisted (for example /bin/echo), while shell runtime folded the line continuation into $(...) and executed non-allowlisted subcommands.

Affected Packages / Versions

  • Package: npm openclaw
  • Latest published affected version: 2026.2.21-2
  • Affected range: <=2026.2.21-2
  • Patched version (planned next release): 2026.2.22

Impact

In deployments that opt into tools.exec.security=allowlist (with ask=on-miss or off), this can bypass approval boundaries and lead to unintended command execution.

Fix Commit(s)

  • 3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9

Remediation

  • Upgrade to 2026.2.22 (or newer) when published.
  • Temporary mitigation: set tools.exec.ask=always or tools.exec.security=deny.

Release Process Note

patched_versions is pre-set to planned next release 2026.2.22. After npm release is out, this advisory should be ready for direct publish without additional metadata edits.

OpenClaw thanks @tdjackey for reporting.

References

@steipete steipete published to openclaw/openclaw Feb 23, 2026
Published to the GitHub Advisory Database Mar 3, 2026
Reviewed Mar 3, 2026
Last updated Mar 19, 2026

Severity

Moderate

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(6th percentile)

Weaknesses

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Learn more on MITRE.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. Learn more on MITRE.

CVE ID

CVE-2026-28460

GHSA ID

GHSA-9868-vxmx-w862

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.